CI_COMMIT_TAG_MESSAGE includes PGP signature when using signed tags
Summary
The new variable CI_COMMIT_TAG_MESSAGE seems to also include the PGP signature when using signed tags. I expected this to only include the message.
Steps to reproduce
Just add a signed tag and print the variable, in our example we used the release feature. The PGP signature is visible in the description of the newly created release.
release_job:
stage: .pre
image: registry.gitlab.com/gitlab-org/release-cli:latest
rules:
- if: $CI_COMMIT_TAG
script:
- echo "Running the release job."
release:
tag_name: $CI_COMMIT_TAG
name: $CI_COMMIT_TAG
description: $CI_COMMIT_TAG_MESSAGE
Example Project
What is the current bug behavior?
The CI_COMMIT_TAG_MESSAGE includes body and PGP.
Some message
-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----
What is the expected correct behavior?
The CI_COMMIT_TAG_MESSAGE includes only the body and no PGP.
Some message
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
I'm not sure this is related, but it seems. The following git command gives a similar result (as the bug):
git tag -l v1.0.0 --format='%(body)'
While the more specific contents:body
leaves out the PGP signature:
git tag -l v1.0.0 --format='%(contents:body)'
Technical Proposal
- Let the
message
field include the tag message without the signature. - If required Modify Gitaly tag proto to include as a seperate
signature
field. - Above two changes will require changes to Gitaly repository. Fix in review via gitaly!5286 (closed)
- On Rails side there will be no change required.
- Supporting PGP signature on Rails for signed tags is already tracked in existing issue #19260
Roadmap
- For
gitlab.com
, once gitaly!5286 (closed) is merged and deployed the fix should work. - For on-premise moving to Gitaly 15.9 once available should fix the problem.